I’ve gotta get a new phone
I have known for a while that Facebook (and probably other smartphone apps) are Trouble. (yes, capital T Trouble.) The Terms of Service for Facebook messenger, as well as others, require users to give them permission to access other parts of the phone (like contacts, email, texting) where PHI might be stored. One recent privacy update to the TOS for Facebook, when installed on an Android phone, gives them permission to read text messages. This page on Facebook’s site explains it in more detail, (they have a reasonable explanation for why they want to do that) but I just don’t see how we can have both Facebook and PHI on our phones at the same time and feel like we are HIPAA compliant about that.
The best solution I’ve heard is to have a separate phone for work (and any PHI is kept only on that phone.) On this work-specific phone, apps are installed consciously and conservatively–and only after the entire Terms of Service has been actually read. (so you know what you are agreeing to!) Alternatively, some providers are choosing to keep a ‘dumb phone’ (aka not a smart phone at all) in order to be extra sure that PHI is secured.